b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nEvaluation Report\n\n\n\n\n       Evaluation of the U.S. Chemical\n       Safety and Hazard Investigation\n       Board\xe2\x80\x99s Compliance with the Federal\n       Information Security Management\n       Act (Fiscal Year 2009)\n\n       Report No. 10-P-0174\n\n       August 2, 2010\n\x0cAbbreviations\n\nCSB             U.S. Chemical Safety and Hazard Investigation Board\nEPA             U.S. Environmental Protection Agency\nFISMA           Federal Information Security Management Act\nFY              Fiscal Year\nIG              Inspector General\nNIST            National Institute of Standards and Technology\nOIG             Office of Inspector General\nOMB             Office of Management and Budget\nPOA&M           Plans of Action and Milestones\nSP              Special Publication\n\x0c                       U.S. Environmental Protection Agency                                                10-P-0174\n                                                                                                       August 2, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review             Evaluation of the U.S. Chemical Safety and Hazard\n                                   Investigation Board\xe2\x80\x99s Compliance with the Federal\nWe performed this review to        Information Security Management Act (Fiscal Year 2009)\nassess the U.S. Chemical\nSafety and Hazard\n                                    What KPMG Found\nInvestigation Board\xe2\x80\x99s (CSB\xe2\x80\x99s)\ncompliance with the Federal\n                                   During our FY 2009 evaluation, KPMG noted that CSB does have an information\nInformation Security\n                                   security program in place that appears to be functioning as designed. We also\nManagement Act of 2002\n                                   noted that CSB does take information security weaknesses seriously, as three of\n(FISMA).\n                                   the four prior year issues were closed. However, during this year\xe2\x80\x99s assessment,\n                                   we identified areas where CSB could improve upon its Risk Assessment, System\nBackground\n                                   Security Planning, Plans of Action and Milestones, Contingency Planning, Access\n                                   Controls, and Audit Logging practices.\nThe U.S. Environmental\nProtection Agency (EPA)\n                                   In addition to reviewing CSB\xe2\x80\x99s information security practices, KPMG conducted\nOffice of Inspector General\n                                   a network vulnerability test of key CSB system and network devices. This test\n(OIG) contracted with KPMG,\n                                   revealed vulnerabilities related to insecure system protocols, default\nLLP, to perform the Fiscal\n                                   configurations, and unpatched devices. While Board Order 034 provides policies\nYear (FY) 2009 FISMA\n                                   and procedures for maintaining device security, CSB personnel did not always\nassessment. The evaluation\n                                   follow this guidance to ensure that network devices were appropriately secured as\nadhered to the Office of\n                                   prescribed. Insecure protocols, default configurations, and unpatched devices\nManagement Budget (OMB)\n                                   significantly elevate CSB\xe2\x80\x99s risk of system and data compromise by unauthorized\nreporting guidance for\n                                   users, which could lead to the alteration or deletion of critical data and a\nmicroagencies, which CSB\n                                   degradation of system performance. KPMG provided the network vulnerability\nis considered. We also\n                                   results to CSB management and CSB worked diligently to remediate the\nperformed additional\n                                   identified weaknesses.\nprocedures to assess the\ninformation security program\n                                    What KPMG Recommends\nat CSB.\n                                   KPMG recommends that CSB:\n\n                                      \xe2\x80\xa2   Provide appropriate training to CSB individuals responsible for\nFor further information, contact          completing the Information Technology System risk assessment, security\nour Office of Congressional,              plan, and access control procedures.\nPublic Affairs and Management         \xe2\x80\xa2   Develop, maintain, and periodically test the Information Technology\nat (202) 566-2391.                        System contingency plan in accordance with Board Order 034 and federal\n                                          guidance.\nTo view the full report,              \xe2\x80\xa2   Develop a process to maintain access approval requests for the\nclick on the following link:\n                                          Information Technology System.\nwww.epa.gov/oig/reports/2010/\n20100802-10-P-0174.pdf\n                                      \xe2\x80\xa2   Update Board Order 034 to document a process for maintaining\n                                          information security Plans of Action and Milestones.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                              THE INSPECTOR GENERAL\n\n\n\n\n                                         August 2, 2010\n\nMEMORANDUM\n\nSUBJECT:       Evaluation of the U.S. Chemical Safety and Hazard Investigation Board\xe2\x80\x99s\n               Compliance with the Federal Information Security Management Act\n               (Fiscal Year 2009)\n               Report No. 10-P-0174\n\n\nFROM:          Arthur A. Elkins, Jr.\n               Inspector General\n\nTO:            The Honorable Rafael Moure-Eraso, Ph.D.\n               Chairman and Chief Executive Officer\n               U.S. Chemical Safety and Hazard Investigation Board\n\n\nThis final report on the above subject area summarizes the results of information technology\nsecurity work performed by KPMG, LLP, under the direction of the U.S. Environmental\nProtection Agency\xe2\x80\x99s Office of Inspector General (OIG). The report also includes KPMG\xe2\x80\x99s\ncompleted Fiscal Year 2009 Federal Information Security Management Act Reporting Template,\nas prescribed by the Office of Management and Budget.\n\nThe estimated cost for performing this audit, which includes contract costs and OIG contract\nmanagement oversight, is $113,478.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph Brevard at\n(202) 566-0893 or brevard.rudy@epa.gov; or Gina Ross, Project Manager, at (202) 566-1041\nor ross.gina@epa.gov.\n\x0c                                                                                  August 2, 2010\n\n\n\n\nSUBJECT:       Evaluation of the U.S. Chemical Safety and Hazard Investigation Board\xe2\x80\x99s\n               Compliance with the Federal Information Security Management Act for\n               Fiscal Year 2009\n\n\nTHRU:          Arthur A. Elkins, Jr.\n               Inspector General\n               U.S. Environmental Protection Agency\n\n\nTO:            The Honorable Rafael Moure-Eraso, Ph.D.\n               Chairman and Chief Executive Officer\n               U.S. Chemical Safety and Hazard Investigation Board\n\n\nAttached is the KPMG, LLP, final report on the above subject audit. KPMG, LLP, performed\nthe Federal Information Security Management Act (FISMA) evaluation on behalf of the U.S.\nEnvironmental Protection Agency. This report includes the test results for selected minimally\nrequired information security controls defined by the National Institute of Standards and\nTechnology and the Office of Management and Budget FISMA reporting template for\nmicroagencies.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph Brevard at\n(202) 566-0893 or brevard.rudy@epa.gov; or Gina Ross at (202) 566-1041 or\nross.gina@epa.gov.\n\x0cEvaluation of the U.S. Chemical Safety and Hazard                                                                              10-P-0174\nInvestigation Board\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (Fiscal Year 2009)\n\n\n\n                                      Table of Contents\n   Purpose........................................................................................................................   1\n\n   Background .................................................................................................................      1\n\n   Scope and Methodology.............................................................................................                1\n\n   Findings ......................................................................................................................   2\n\n           Risk Assessment..................................................................................................         2\n           Plans of Action and Milestones ............................................................................               2\n           Contingency Plan .................................................................................................        3\n           Access Control .....................................................................................................      3\n           Audit Logs ............................................................................................................   3\n\n   Recommendations ......................................................................................................            4\n\n   Agency Response and KPMG Comments ................................................................                                4\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                           5\n\n\n\nAppendices\n   A       Microagency Reporting Template.....................................................................                       6\n\n   B       Agency Response to Draft Report ...............................................................                           7\n\x0c                                                                                      10-P-0174\n\n\nPurpose\nThe U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) initiated\nthis audit to assess the U.S. Chemical Safety and Hazard Investigation Board\xe2\x80\x99s (CSB)\ncompliance with the Federal Information Security Management Act (FISMA) for Fiscal Year\n(FY) 2009. The OIG contracted with KPMG, LLP, to conduct the audit.\n\nBackground\n\nOn December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002\n(Public Law 107-347). Title III of the E-Government Act of 2002, commonly referred to as\nFISMA (the Federal Information Security Management Act), focuses on improving oversight of\nfederal information security programs and facilitating progress in correcting agency information\nsecurity weaknesses. FISMA requires federal agencies to develop, document, and implement an\nagency-wide information security program that provides security for the information and\ninformation systems that support the operations and assets of the agency. This program includes\nproviding security for information systems provided or managed by another agency, contractor,\nor other source. FISMA assigns specific responsibilities to agency heads and Inspectors General\n(IGs). It is supported by security policy promulgated through Office of Management and Budget\n(OMB), and risk-based standards and guidelines published in the National Institute of Standards\nand Technology (NIST) Special Publication (SP) series.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems.\nFISMA directs federal agencies to report annually to the OMB Director, Comptroller General,\nand selected congressional committees on the adequacy and effectiveness of agency information\nsecurity policies, procedures, and practices and compliance with FISMA. In addition, FISMA\nrequires agencies to have an annual independent evaluation performed of their information\nsecurity programs and practices and to report the evaluation results to OMB. FISMA states that\nthe independent evaluation is to be performed by the agency IG or an independent external\nauditor as determined by the IG.\n\nScope and Methodology\n\nThe scope of our testing included CSB Information Technology System, the only CSB\ninformation technology system that is subject to FISMA reporting requirements.\n\nWe conducted our testing through inquiry of CSB personnel, observation of activities, inspection\nof relevant documentation, and the performance of limited technical security testing. Some\nexamples of our inquiries with agency management and personnel included, but were not limited\nto, the process for documenting system security plans, processing user access, and the\nconfiguration management process. Examples of our observations included, but were not limited\nto, viewing access control settings on-screen, and viewing access control settings for portable\nand mobile devices. Some examples of the documents inspected included, but were not limited\n\n\n                                               1\n\x0c                                                                                          10-P-0174\n\n\nto, the CSB Information Technology System security plan and CSB Board Order 034,\nInformation Technology Security Program.\n\nWe performed a network vulnerability assessment of CSB\xe2\x80\x99s network infrastructure. We used a\ncommercially available tool that tests networked information resources for commonly known\nvulnerabilities. We provided the results of this testing to CSB management separately.\n\nWe performed this evaluation in accordance with Generally Accepted Government Auditing\nStandards, issued by the Comptroller General of the United States.\n\nFindings\nDuring our FY 2009 evaluation, we noted that CSB does have an information security program\nin place that appears to be functioning as designed. We also noted that CSB does take\ninformation security weaknesses seriously, as three of the four prior year issues were closed.\nHowever, during this year\xe2\x80\x99s assessment, we identified areas where CSB could improve upon its\nRisk Assessment, System Security Planning, Plans of Action and Milestones (POA&M),\nContingency Planning, Access Controls, and Audit Logging practices.\n\nIn addition, we conducted a network vulnerability assessment of key CSB system and network\ndevices. Our tests revealed vulnerabilities related to insecure system protocols, default\nconfigurations, and unpatched devices. While Board Order 034 provides policies and procedures\nfor maintaining device security, CSB personnel did not always follow this guidance to ensure\nthat network devices were appropriately secured as prescribed. Insecure protocols, default\nconfigurations, and unpatched devices significantly elevate CSB\xe2\x80\x99s risk of system and data\ncompromise by unauthorized users, which could lead to altering or deleting critical data and\ndegrading system performance. We have provided the details of the network vulnerability\nassessment to CSB management separately.\n\n       Risk Assessment\n\nCSB did not document the risk assessment for the Information Technology System in the format\noutlined by National Institute of Standards and Technology (NIST) SP 800-30, Risk\nManagement Guide for Information Technology Systems. The Information Technology System\nrisk assessment does not address the requirements for threat identification, vulnerability\nidentification, control analysis, likelihood determination, impact analysis, risk determination, and\ncontrol recommendations as outlined in the NIST guide. We found CSB officials were not\ntrained in developing risk assessments consistent with NIST. As a result, CSB has a heightened\nrisk of not identifying risks and implementing mitigating controls over CSB\xe2\x80\x99s Information\nTechnology System; potentially, system threats and risks could go undetected.\n\n       Plans of Action and Milestones\n\nCSB does not have a documented procedure for updating and maintaining a security POA&M\nfor the Information Technology System. Board Order 034 serves as CSB\xe2\x80\x99s information security\npolicy, but the policy does not provide guidance on updating the security POA&M. We did note\n\n\n                                                 2\n\x0c                                                                                         10-P-0174\n\n\nthat the existing Information Technology System POA&M is consistent with federal guidance,\nbut a documented procedure for updating the POA&M would further strengthen CSB\xe2\x80\x99s\ninformation security program. As CSB identifies new vulnerabilities, a documented POA&M\nprocedure would help guide CSB personnel document risk mitigation plans and establish\nachievable completion dates. Further, should CSB experience turnover in key information\nsecurity staff, the newer staff may not be as familiar with how to maintain and update the\nPOA&M.\n\n       Contingency Plan\n\nCSB does not have a documented and tested contingency plan for the Information Technology\nSystem. Board Order 034 documents a policy and procedure for developing and maintaining a\nsystem contingency plan. Further, CSB performs some contingency planning activities,\nincluding periodically backing up data and rotating backup data to an offsite location. However,\nCSB has not developed or tested a system-specific contingency plan. CSB management did not\ncommit the resources and leadership required to develop a contingency plan for the Information\nTechnology System. Without a documented and tested contingency plan completed in\naccordance with NIST guidance, CSB is at increased risk, that should a significant incident\noccur, CSB would not be able to recover Information Technology System capabilities.\n\n       Access Control\n\nCSB does not consistently maintain records for granting access to the Information Technology\nSystem. We reviewed documentation supporting access approvals for 13 percent (5 of 40)\nInformation Technology System users. We found a lack of supporting documentation for every\nuser. Lack of training on the access approval and retaining the supporting documentation\nprocess led to access approval supporting documentation not being maintained. By not\nmaintaining documentation supporting system accesses, CSB is at increased risk that system\nusers are not granted access in accordance with management\xe2\x80\x99s request.\n\n       Audit Logs\n\nCSB has not developed a procedure for performing and documenting log reviews for the\nInformation Technology System. According to CSB officials, security staff members perform a\nweekly review of Information Technology System audit logs. However, CSB has not\ndocumented a specific procedure for performing those audits in accordance with NIST guidance\nor Board Order 034. The lack of documented procedure for performing system audit log reviews\nincreases CSB\xe2\x80\x99s risk that information system security personnel will not conduct the log reviews\nin a consistent manner, which could lead to increased risk of not detecting key security violations\nand events.\n\n\n\n\n                                                3\n\x0c                                                                                     10-P-0174\n\n\nRecommendations\n\nWe recommend that the Chairman, U.S. Chemical Safety and Hazard Investigation Board:\n\n       1. Provide appropriate training to CSB individuals responsible for completing the\n          Information Technology System risk assessment. The training should encompass\n          required risk assessment elements.\n\n       2. Perform and document the Information Technology System risk assessment in full\n          accordance with NIST SP 800-30 as required by FISMA and CSB policy.\n\n       3. Enhance Board Order 034 to document a procedure for developing and maintaining\n          the security POA&M for the Information Technology System.\n\n       4. Provide training to key CSB officials on maintaining the POA&M consistent with the\n          documented Board Order 034 procedure.\n\n       5. Develop, maintain, and periodically test a contingency plan for the Information\n          Technology System in accordance with CSB Board Order 034 and NIST guidance.\n\n       6. Provide training to CSB management officials on the need to maintain user access\n          documentation in accordance with Board Order 034 and NIST guidance.\n\n       7. Ensure that access approval documentation is maintained for the Information\n          Technology System.\n\n       8. Document an audit log review procedure in Board Order 034 consistent with NIST\n          800-92. The procedure should describe, at a minimum, which system audit logs are to\n          be reviewed, the frequency of log reviews, the process for documenting the reviews,\n          and any escalation procedures needed should a security violation or other event be\n          identified.\n\n       9. Provide training to security analysts responsible for complying with Board Order 034\n          device security requirements.\n\n       10. Conduct periodic vulnerability scans to assess device security.\n\nAgency Response and KPMG Comments\n\nIn general, CSB agreed with our findings and recommendations. However, CSB disagreed with\nrecommendations related to the prior year audit finding to implement a process for effectively\ntracking key changes to the Information Technology System security plan. CSB believed that it\ncompleted all actions related to the Fiscal Year 2008 recommendations. We reviewed CSB\xe2\x80\x99s\nactions to address the recommendations and concluded that sufficient actions had been taken to\naddress these two recommendations. As a result, we removed the two recommendations from\nthe final report.\n\n                                                4\n\x0c                                                                                                                                       10-P-0174\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                             POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                           BENEFITS (in $000s)\n\n                                                                                                                 Planned\n    Rec.    Page                                                                                                Completion   Claimed    Agreed To\n    No.      No.                          Subject                           Status1       Action Official          Date      Amount      Amount\n\n     1        4     Provide appropriate training to CSB individuals           O       Chairman, U.S. Chemical\n                    responsible for completing the Information                           Safety and Hazard\n                    Technology System risk assessment. The training                     Investigation Board\n                    should encompass required risk assessment\n                    elements.\n\n     2        4     Perform and document the Information Technology           O       Chairman, U.S. Chemical\n                    System risk assessment in full accordance with                       Safety and Hazard\n                    NIST SP 800-30 as required by FISMA and CSB                         Investigation Board\n                    policy.\n\n     3        4     Enhance Board Order 034 to document a                     O       Chairman, U.S. Chemical\n                    procedure for developing and maintaining the                         Safety and Hazard\n                    security POA&M for the Information Technology                       Investigation Board\n                    System.\n\n     4        4     Provide training to key CSB officials on maintaining      O       Chairman, U.S. Chemical\n                    the POA&M consistent with the documented Board                       Safety and Hazard\n                    Order 034 procedure.                                                Investigation Board\n\n     5        4     Develop, maintain, and periodically test a                O       Chairman, U.S. Chemical\n                    contingency plan for the Information Technology                      Safety and Hazard\n                    System in accordance with CSB Board Order 034                       Investigation Board\n                    and NIST guidance.\n\n     6        4     Provide training to CSB management officials on           O       Chairman, U.S. Chemical\n                    the need to maintain user access documentation in                    Safety and Hazard\n                    accordance with Board Order 034 and NIST                            Investigation Board\n                    guidance.\n\n     7        4     Ensure that access approval documentation is              O       Chairman, U.S. Chemical\n                    maintained for the Information Technology System.                    Safety and Hazard\n                                                                                        Investigation Board\n\n     8        4     Document an audit log review procedure in Board           O       Chairman, U.S. Chemical\n                    Order 034 consistent with NIST 800-92. The                           Safety and Hazard\n                    procedure should describe, at a minimum, which                      Investigation Board\n                    system audit logs are to be reviewed, the\n                    frequency of log reviews, the process for\n                    documenting the reviews, and any escalation\n                    procedures needed should a security violation or\n                    other event be identified.\n\n     9        4     Provide training to security analysts responsible for     O       Chairman, U.S. Chemical\n                    complying with Board Order 034 device security                       Safety and Hazard\n                    requirements.                                                       Investigation Board\n\n    10        4     Conduct periodic vulnerability scans to assess            O       Chairman, U.S. Chemical\n                    device security.                                                     Safety and Hazard\n                                                                                        Investigation Board\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n                                                                                  5\n\x0c                                                                                                                                   10-P-0174\n\n\n                                                                                                                             Appendix A\n\n                            Microagency Reporting Template\n       Microagency Reporting Template for FY 2009 FISMA and Information Privacy Management\nAgency Name:      Chemical Safety and Hazard Investigation Board\nAgency Point of Contact:   Ana Johnson\nMicroagencies are defined as agencies employing 100 or fewer Full Time Equivelent positions (FTEs). Microagencies\nmust report to OMB annually on FIMSA and Information Privacy Management. While quarterly reports/updates are not\nrequired, microagencies should be prepared to provide information or to begin submitting quarterly reports to OMB\nupon request.\n                                         1. Information Systems Security\n  a.    Total Number of agency and contractor systems                                                                        1\n  b.    Number of agency and contractor systems certified and accredited                                                     1\n        Number of agency and contractor systems for which security controls have been tested and\n  c.                                                                                                                         1\n        reviewed in the past year\n  d.    Was an independent assessment conducted in the last year?                                                            Yes\n  e.    Number of employees                                                                                                  37\n\n  f.    Number of contractors                                                                                                3\n\n        Number of employees and contractors who received IT security awareness training in the last\n  g                                                                                                                          40\n        year\n                                                2. Information Privacy\n\n  a.    Breach Notification\n        Agencies are required by OMB memorandum (M-07-16) of May 22, 2007, \xe2\x80\x9cSafeguarding Against and Responding to the\n        Breach of Personally Identifiable Information\xe2\x80\x9d to develop and implement a breach notification policy within 120 days.\n\n        Please certify whether your agency has completed the requirements of M-07-16 by answering "Yes"\n        or "No" to questions (1) through (4) in the table below.\n\n        I certify the agency has completed:\n         1.     A breach notification policy (Attachment 3 of M-07-16)                                                 Yes\n                An implementation plan to eliminate unnecessary use of Social Security Numbers (SSN)\n         2.                                                                                                            Yes\n                (Attachment 1 of M-07-16)\n                An implementation plan and progress update on review and reduction of holdings of personally\n         3.                                                                                                            Yes\n                identifiable information (PII) (Attachment 1 of M-07-16)\n                Policy outlining rules of behavior and identifying consequences and corrective actions available for\n         4.                                                                                                            Yes\n                failure to follow these rules (Attachment 4 of M-07-16)\n\n        Note: Micro agencies must maintain all documentation supporting this certification, and make it available in\n        a timely manner upon request by OMB or other oversight authorities. Micro Agencies are not required to\n        provide the actual documentation with the annual report.\n        Privacy Impact Assessments (PIAs) and Systems of Record Notices (SORNs)\n  b.    Please provide the URL to a centrally located web page on the agency web site on which the agency lists\n        working links to all of its PIAs and working links to all of its SORNs published in the Federal Register.\n        Agencies must maintain all documentation supporting this certification and make it available in a timely\n        manner upon request by OMB or other oversight authorities. By submitting the template the agency certifies\n        that to the best of agency\'s knowledge the quarterly report accounts for all of the agency\xe2\x80\x99s systems to which\n        the privacy requirements of the E-Government Act and Privacy Act are applicable. If the agency does not\n        have any PIAs or SORNS, enter "NA."\n\n                Provide the URL of the centrally located page on the agency web site             http://www.csb.gov/index.cfm?folder=con\n         b.1.\n                listing working links to agency PIAs: (Hyperlink not required)                   tact_information&page=index\n\n                Provide the URL of the centrally located page on the agency web site             http://www.csb.gov/index.cfm?folder=con\n         b.2.\n                listing working links to the published SORNs: (Hyperlink not required)           tact_information&page=index.\n\n\n                                                                         6\n\x0c                                    10-P-0174\n\n\n                                  Appendix B\n\nAgency Response to Draft Report\n\n\n\n\n               7\n\x0c    10-P-0174\n\n\n\n\n8\n\x0c    10-P-0174\n\n\n\n\n9\n\x0c     10-P-0174\n\n\n\n\n10\n\x0c     10-P-0174\n\n\n\n\n11\n\x0c     10-P-0174\n\n\n\n\n12\n\x0c'